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Abstract. We present one of the most efficient attacks against the com- 
bination generator. This attack is inherent to this system as its only as- 
sumption is that the filtering function has a good autocorrelation. This is 
usually the case if the system is designed to be resistant to other kinds of 
attacks. We use only classical tools, namely vectorial correlation, weight 
4 multiples and Walsh transform. 
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1 Introduction 

The combination generator is, together with the filter generator, one of the 
simplest and most analyzed construction of stream ciphers. It uses as an internal 
state many linear feedback shift registers (LFSRs). We will write m for their 
total size in bits. These registers are filtered using a 7i-variable balanced Boolean 
function / (from F£ into F2) to produce the keystream (zt)t>o- The inputs of 
this function are taken from some bits in the LFSRs internal states. We will 
write x t for the n-bit vector corresponding to the inputs of / at time t. Notice 
that we will always write such vector of bits in bold. Our goal here is to find the 
key (that is the initial state of all the LFSRs) knowing the keystream sequence 
(zt)t>o and all the components of the combination generator. 

The classical way to attack such a system is to use a correlation attack [Sie85] 
or one of its variants called fast correlation attacks [MS88,CT00,JJ00]. The idea 
is to exploit the existence of a statistical dependence between the keystream 
and one of the constituent LFSR. For example, if we write x = (u, v) where u 
corresponds to the bits taken from the first LFSR, such a dependence exists if 
for some linear function £, 

Pr[/(u,v)=i(u)]^l/2 . 
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One can then perform an exhaustive search on the initial state of the first LFSR 
(or any other targeted LFSR) and try to detect a bias. In order to ensure that 
there is no such bias (or a really low one) / is usually chosen with a high non- 
linearity and a low autocorrelation. 

In the fast correlation attacks, one sees the search of the initial state as 
a decoding problem of the linear code generated by the target LFSR and the 
linear function t. Then, instead of an exhaustive search, it is possible to avoid 
examining all possible initializations of the target LFSR by using some efficient 
error-correcting techniques. Usually the attack becomes faster but requires a 
larger amount of keystream. 

This paper presents a new attack on the combination generator. At first sight, 
it may not seems that new because we use only classical tools, namely low weight 
multiples, vectorial correlation and Walsh transform. But in our knowledge, they 
are used in an original way and we add some interesting insights. Moreover, this 
attack is not based on any particular weakness of the filtering function like for 
correlation attacks. Actually, we can even attack a system where we do not 
know the filtering function used! To simplify our analysis we only assume that 
/ has a good autocorrelation. However choosing a filtering function without this 
property will open the door to the correlation attacks described above. 

The paper is organized as follows. We begin by explaining the attack prin- 
ciple in the next section. Then, in Section 3, we detail the algorithm and the 
complexity of the different steps involved. We give in Section 4 the actual time 
complexity of our implementation on an example combination generator. We 
finally conclude in the last section. 

2 Attack principle 

We describe here an attack on the combination generator based on the theorem 
given at the end of this section. What we actually show is how to find the initial 
state of some of the LFSR composing the system. This is certainly enough to 
say that the system is insecure and recovering the rest of the initial state require 
usually less work. The best method for this task is more dependent on the actual 
system we are working on and we will give in Section 4 an example of how we 
can actually do it. 

So, suppose we are given a combination generator and we are able to observe 
a large amount of keystream bits, the Zt's. We denote by x t the input of the 
filtering function for this observed system at time t, that is we have Zt = /(xt). 
We split the LFSRs involved into two groups and do an exhaustive search on 
the initial states of the first LFSRs. For a given value / of this partial initial 
state, we write y t for the hypothetical first part of the filtering function input 
at time t. That is, the part we can compute given /. We also need one or more 
common weight 4 multiples 1 + A* 1 + X t2 + X* 3 of the feedback polynomials of 
the LFSRs in the second group. We then compute the ratio Pj of times t such 
that 

zt + z t +t 1 + z t +t 2 + z t+t 3 = 



amongst all the t's such that 



yt + yt+u + yt+t 2 + y*+t 3 = • 

Remark that the number of such time instants at our disposal is directly linked 
to the amount of keystream we know. Now, how can we distinguish the real 
partial initial state from the others? 

— If I is the actual first part of the initial state, then we know we look only 
at times t such that x t + x t+tl + x t+t2 + x t+t3 = 0. This is because we are 
working with a multiple of the other LFSRs feedback polynomials. Then, it 
is reasonable to assume that the ratio Pj is an estimate of the probability 
Pr(/(ui) + f(u 2 ) + /(u 3 ) + /(u 4 ) = | J2i u i = °)- Hcrc tlic u * arc vectors 
in F 2 uniformly distributed amongst the one having the required property. 

— If / is not the actual first part of the initial state, even in the worst case where 
only the initial state of one LFSR was not guessed correctly, it is reasonable 
to assume that the sum x t +x Wl +x t+t2 +x t+t3 is different from roughly 
half of the time. For theses points, we then have an estimate for one of the 
probabilities Pr(/(ui) + /(u 2 ) + /(u 3 ) + /(u 4 ) = | £) 4 u 4 = u) where 

Hopefully for us, the two cases are distinguishable thanks to the following result 
taken almost directly from [Did07] and already present in the work of Sabine 
Leveiller [Lev04]. 

Theorem 1. Let f be a n-variable balanced Boolean function, and let Ui, u 2; 
113, 114 be 4 uniformly distributed n bits vector such that Ui + u 2 + U3 + U4 = u. 
Let P u := Pr(/(ui) + /(u 2 ) + /(u 3 ) + /(u 4 ) = 0), then we have 

P > 1 

2 2™+i 

and 

min (P a - P u ) > -4t I 1 - 4m 
u ^o v ' ~ 2 Il+1 V 2" / 

where Af is the maximum of the autocorrelation coefficients of f and is usually 
small compared to 2™. 

Proof, see Appendix. 

We will assume in the rest of this paper that the filtering function has a good 
autocorrelation property which result in a difference between these probabilities 
of tjttft- This is a reasonable hypothesis because it is the case for the function 
usually used in this settings [GK03]. In particular, it is a needed property to 
resist against correlation attacks. 



3 Detailed analysis 

We describe here our attack in details and hence need some more notations. 
Since we split the LFSRs in two groups, we will write m = mi + m-i where m,\ 
is the total size in bits of the LFSRs in the first group. That is the one we do an 
exhaustive search on. Similarly, we write n = n\ + ni for the inputs bit of the 
filtering function /. Remark that in practice, n is kept small compared to m for 
efficiency issues. Our result is summarized in this theorem: 

Theorem 2. Our attack recovers m\ bits of the initial states in complexity 
0(m 1 2 ni 2 mi ). It requires 0(2~ + mi2 2n+ " 1+1 ) consecutive bits of key stream 
and a memory of 0(2 mi ). If the memory requirement is too big, some tradeoff 
exists until a complexity of 0(mi2 2n+ni 2 mi ) and a memory of 0(mi2 2n+ni ). 
This attack also require a precomputation phase of complexity and memory in 
0(2^). 

3.1 Computing weight 4 multiples 

We need to compute one or a few weight 4 common multiples of the second group 
of LFSRs. We show here that this precomputation phase can be dealt with a 
complexity and memory around 0{2~). 

What we need is only a few multiple of degree as small as possible. If we look 
at LFSRs of total size 7712, it is well known that the expected number of weight 4 
multiples of degree D is heuristically approximated by considering that 

for D large enough the values of the polynomials of weight 4 and degree at most 
D are uniformly distributed. 

There are many algorithms to compute low weight multiples whose complex- 
ity depends on the parameters D which in our case is around 2~ . One can use 
the algorithm in [CJM02] but for weight 4 multiples, the most efficient is the 
one of [DLC07]. It's especially adapted here, as we need to find a simultanous 
multiple of many polynomials. 

Its complexity is in O(D) times the complexity to compute discrete loga- 
rithms in the multiplicative group F* ;i x • ■ ■ x F* lfc where the U are the respective 
length of each LFSR. This task is particularly easy since using Pohlig-Hellman 
algorithm it can be splited into k discrete logarithms computation in each of the 
finite field multiplicative groups involved. 

3.2 Amount of keystream needed 

Wc prove here the following lemma 

Lemma 1. We need to consider around N := mi2 2n+nl+1 degree 4 equations to 
identify the correct partial initial state. This translates to 0(2~s~ + mi2 2n+ni+1 ) 
consecutive keystream bits needed. 



Given the results in Section 2, mainly Theorem 1, we need to distinguish in 
the worst case between two binomial distributions, one of parameter i + „ r } +1 
and one of parameter at most | + 2 n+2 ■ However, for most of the wrong partial 
initial states, we will just observe a law of parameter J, so the bias we need to 
detect is in practice close to ^rr- 

A classical results from statistics tell us that using S samples, we have an 
error probability of roughly 2~ 22^+1 . We thus need at least 2 2ri+1 samples to be 
able to distinguish the two distributions. But this is not sufficient in our case. 

Recall that we are doing an exhaustive search on 2 mi possible states, so the 

-s 

average number of wrong states passing the statistical test will be 2 mi 2 2 2 ™+ 1 . 
We thus need a number of samples equal to at least toi2 2 ™ +1 to obtain only a 
few possible candidates for the real initial states. Notice that with this number 
of samples, the probability to miss the initial states is of 0(2~ mi ) which is really 
small. 

What is the amount of keystream needed to get that many samples? For 
one sample, we will need to consider 2™ 1 degree 4 equations since this is the 
expected number for y t + yt+ti + Yt+t 2 + Yt+t 3 to be equal to 0. The average 
degree of the lowest weight 4 multiples is 0(2t 2 ") (see previous subsection). 
By shifting this multiple x times, we get x degree 4 equation for 0(2~^~ + x) 
consecutive keystream bits. Hence, the required amount of keystream is 0{2~£~ + 
mi2 2n+ni+1 ). 

We assumed here that we use only one weight 4 multiples. If we use many, it is 
actually possible to need less keystream at the expense of more precomputation. 
This gain is difficult to analyze as it really depend on the used LFSRs, but may 
definitely be useful in practice. However, it will not change the overall asymptotic 
keystream needed. 



3.3 Performing the attack efficiently 

We show in this subsection how to find the initial states in 0(mi2 ni 2 mi ) instead 
of 0(N2 mi ) with a straightforward implementation. Notice that this is a huge 
gain since in our case m\2 ni <C N. On the memory side, we need 2™ 1 integer in 
the second case compared to N bits in the first one. If this is a problem, we can 
actually trade memory for time and be anywhere between those two algorithms. 

In order to perform our attack, we have to compute many quantities involving 
time positions of the form (t, t+t2, t+t2, t+t^). Since we may use many multiples, 
let just assign an index i to such 4-tuple. We will then write z(i) for the sum of 
the zt for the 4 time positions number i and y(i) in the same way. 

Computing the probability estimate for a given partial initial state is roughly 
the same as computing the number of indices i such that y(i) = and z(i) = 0. 
Actually to get the true probability, we also need to know how many indices are 
such that y(i) = and z(i) = 1 but this will not change our discussion or the 
final complexity. So let restrict ourselves on the N' indices i such that z(i) = 0. 

If we do this independently for each of the 2 mi partial initial states, the 
complexity is then in N'2 mi which is pretty large. In order to improve on this 



complexity, let us start by assuming that out of the mi bits, only one is used 
as an input for the filtering function /, that is we assume the to be scalar. 
Remark now that any linear combination of bits from the internal states of 
some LFSRs can be expressed as a linear expression of the initial state of theses 
LFSRs. This is the case for the y(i). We can then define a binary linear code of 
generator matrix G of size mj x N' such that for a given partial initial state u 
the i-th element of uG is precisely y(i). The number we try to compute for a 
given initial state u is then just N' minus the Hamming weight of uG. 

Is there a way to compute the Hamming weight of each codeword in a code 
of length N' and dimension mi faster than 2 mi N' ? The answer is yes, thanks 
to the Walsh transform we can do it in 0(mi2 rni ) which in our case is a lot 
better since mi <C N'. The Walsh transform w of a function w : F™ 1 — > Z can 
be computed in 0(mi2 mi ) and is such that 

£( U ) = 5>(v)(-ir u . 

V 

If w(y) is equal to the number of columns in G equal to v, w(u) is exactly twice 
the Hamming weight of uG minus N. 

Now, what to do when the y* are not scalar ? we can use this nice formula : 

M . n E yeF -i #^y(»).y = Q}-2» 1 - 1 
#{*,y(*) = °l = ^ • 

This simply comes from the fact that when y(i) is it contributes to 2™ 1 in the 
sum whereas any other y(i) contributes only 2 ni_1 . Each cardinality in the sum 
can be computed using a Walsh transform, but since Walsh transform is linear, 
we better compute directly the Walsh transform of the function 

w(v) = #{(i,y), y.(Gi(i), • ■ -,G ni (i)) = v} 

where Gj(i) is the «-th columns of the matrix of the linear code corresponding 
to the input bit j of the filtering function. 

Finally, the time-memory tradeoff mentioned in the first paragraph directly 
follows from a time memory tradeoff in the implementation of the Walsh trans- 
form. 



4 Attack Example 

We give in this section an example of how to use our result to mount an attack 
on a given combination generator. 

The following timings were obtained on an Intel Core2 Quad CPU Q9550 
at 2.83GHz, using only one core and no more than 2GB of memory. We used a 
combination generator based on three LFSRs of size 29, 31 and 37 respectively. 
The feedback polynomials are dense in order not to have artificially easy to find 
low weight multiples. The filtering function / is a 9- variable Boolean function, 
with 3 inputs from each LFSR. It was chosen to be still balanced even if we fixed 





Precomputation 


Total online time 


Keystream used 


Attack 1 


12min27s 


7min01s 


3.06MB 


Attack 2 


3min02s 


6hl8min 


985KB 



Table 1. Global comparison of the two attacks 





1st LFSR 


2nd LFSR 


3rd LFSR 


Attack 1 


51s 


6minl0s 


Os 


Attack 2 


6hl7min 


lmin27s 


Os 



Table 2. Comparison of the different parts of the online attacks 



the input bits from any of the constituent LFSR in order to avoid traditional 
correlation attack , i.e. the function is 3-resilient. 

In the attack referred below as Attack 1 , we retrieve the initialization of the 
LFSR of size 29, 31 and 37 in this order. We thus have in a first step the following 
parameters : 

mi = 29; m 2 = 31 + 37 = 68; ni = 3; 712 = 6. 

As stated in Lemma 1, we thus need to consider approximately N = 2 26 86 mul- 
tiples of P31 x P37 of weight 4. The maximum degree needed is slightly less than 
2 25 which implies we need 3MB of keystream. Using the approach of [DLC07] 
for finding low weight multiples of degree less than 2 25 , the precomputation took 
around 13 minutes. The online time to recover the initial internal state of the 
first LFSR is only 51s, for a theoretical workload of approximately 2 37 . The 
internal state of the second LFSR is then recovered in roughly 6 minutes, using 
only very few keystream because we only need to consider multiples of the last 
feedback polynomial. Finally, the internal state of the last register is found by a 
different method almost instantly, because the full knowledge of 6 entries of our 
Boolean function amongst 9 gives us a lot of information. 

In the second version of the attack , we retrieve the initialization of the LFSR 
of size 37, 29 and 31 in this order. We thus have in a first step the following 
parameters : 

mi = 37; m 2 = 31 + 29 = 60; m = 3; n 2 = 6. 

This small difference allows us to have a lower value for m 2 , which implies that 
we need less keystream to perform the attack. We need to consider approximately 
N = 2 26 - 86 multiples of P31 xP 2 g of weight 4, the precomputation is this time only 
3 minutes and the maximum degree needed is approximately 2 23 , corresponding 
to 985KB. On the contrary, the online time to recover the initial internal state 
of the first LFSR is much longer. The theoretical workload is approximately 2 42 
and our experiment confirms this ratio as it tooks us just more than 6 hours. 
The timings to recover the two other LFSR is negligible compared to the first 
one. 



In conclusion, the Attack 1 is the best one from a complexity point of view, 
whereas the Attack 2 minimizes the amount of key stream needed. We summarize 
the timings for the two different strategies in Tables 1 and 2. 

5 Conclusion 

We presented in this paper an efficient attack on the combination generator. In 
particular, if we look at the timings given in Section 4, we are not aware of any 
other attacks that can break the chosen combination generator that efficiently. 
Remark however that breaking the combination generator still requires an ex- 
ponential number of computation. Hence, if the parameters are chosen large 
enough, such a system can still be secure given the actual knowledge. 

An important point is that the presented attack is inherent to the construc- 
tion and is not based on any particular weakness in the choice of the filtering 
function or in the constituent LFSRs. As such, it appears that for the same order 
of internal size the combination generator is a lot less secure than a single large 
primitive LFSR filtered by a non-linear function. This statement seems true in 
many ways. With a large LFSR, it is more difficult to compute any low weight 
multiples, it is more difficult to break the system into smaller components, and 
the best attacks we know are a lot less efficient. 
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A Proof of Theorem 1 



The bound on Pq, mentioned in [Can06], is already present in [Lev04]. It is a 
direct consequence of the result in [Did07] where it is shown that 




w f ( y y 



where W/(y) is the Walsh coefficient of / at point y, that is 5Z X (— l)-^ x '+ x - y . 
By Parceval equality we know that the sum J2 y Wf(y) 2 is equal to 2 2 ™ and it is 

well know that the sum of square (Wf(y) 2 ) 2 is minimized when every terms 
are equal. Hence we can upper bound everything by 



and get the first part of the theorem. 

For the second part, the result is taken directly from [Did07]. Just recall that 
the maximum of the autocorrelation coefficient is defined as 



If := max 



E (-!) /(x) 



-/(x+y; 



xeF? 



and is usually quite small for Boolean functions used in cryptography. 



